Friday, September 18, 2009

named.confThe ordering of our views is very important. The named daemon accepts the first match. Because our external view permits all clients, our internal clients also match this view. For this reason we place our internal view first (permitting only our approved internal hosts) and our external view second (permitting all comers).

// @(#)named.conf 02 OCT 2001 Rob Thomas noc@cymru.com// Set up our ACLs// In BIND 8, ACL names with quotes were treated as different from// the same name without quotes. In BIND 9, both are treated as// the same.acl "xfer" { none; // Allow no transfers. If we have other // name servers, place them here.

};

acl "trusted" {

// Place our internal and DMZ subnets in here so that // intranet and DMZ clients may send DNS queries. This // also prevents outside hosts from using our name server // as a resolver for other domains. 8.8.8.0/24; localhost;

// Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no;

// Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers;

// Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0;

zone "0.0.127.in-addr.arpa" in { // Allow queries for the 127/8 network, but not zone transfers. // Every name server, both slave and master, will be a master // for this zone. type master; file "master/db.127.0.0";

allow-query { any; };

allow-transfer { none; }; };

zone "internal.ournetwork.com" in { // Our internal A RR zone. There may be several of these. type master; file "master/db.internal"; };

// Create a view for external DNS clients.view "external-in" in { // Our external (untrusted) view. We permit any client to access // portions of this view. We do not perform recursion or cache // access for hosts using this view.